Vendor waited six weeks to notify Ohio officials of data breach

Computerworld - The Ohio state attorney general’s office is investigating the terms of a contract between the state Department of Administrative Services and a New Jersey-based prescription drug benefits provider after a laptop computer containing the unencrypted Social Security numbers and birth dates of about 4,300 state workers and 300 of their dependents was stolen in late December.

The theft wasn’t reported to the state until last month.

Ben Piscitelli, a spokesman for the Ohio Department of Administrative Services (DAS), said the laptop was stolen Dec. 28 from the home of an employee of Medco Health Solutions Inc., which handles prescription drug benefits for state employees. Medco officials waited until Feb. 8 to inform the state about the theft.

“We told them that delay was unacceptable,” Piscitelli said. Officials of the Franklin Lakes, N.J.-based company met with state DAS officials on Feb. 16 and agreed to provide free credit- and fraud-monitoring services to the affected workers for one year to help them watch their credit records for potential illegal activity, he said. The DAS announced the incident and its aftermath in a statement last week .

The DAS has also asked Attorney General Jim Petro to review the two-year, $4 million drug benefits management contract DAS has with Medco through July 2007.

Kim Norris, a spokeswoman for the attorney general’s office, said the contract is being reviewed for any violations that may have occurred in terms of data security. “If they promised to protect the information in a certain manner, those are the kinds of issues we’ll look at,” she said. “We’re working on that right now.”

If related violations of specific agreements are found, the state could sue Medco, Norris said.

Piscitelli said the Medco employee had possession of a laptop computer owned by Medco that contained the prescription benefits membership numbers -- which are the same as employee Social Security numbers -- of the state employees and dependents. Birth dates and details about the drugs the patients were taking were also in the data records. But the data, which is from 2003 and 2004, did not include names or addresses of the affected persons.

The Medco employee was using the data for a routine audit of the prescription benefits records of the patients, Piscitelli said.

“Our concern is that the state can’t gamble” with such data losses, he said. “We hope that this was just a theft, that someone was interested in the laptop and not the information on it.”

The agency has received no reports of identity theft or credit fraud from any of the persons affected by the incident, Piscitelli said.